Hunt-AI/TTPs/lin_ioc.py

from Modules.Imports.ttp_imports import *

def lin_ioc_submenu():
    """
    Submenu for Linux Host Indicators.
    """
    actions = {
        "1": {"description": "Basics", "function": linux_basics},
        "2": {"description": "Common Malware Names", "function": linux_common_malware_names},
        "3": {"description": "Common Malware Locations", "function": linux_common_malware_locations},
        "4": {"description": "Interesting Search Terms", "function": linux_interesting_search_terms},
        "5": {"description": "Locations of Persistence", "function": linux_locations_of_persistence},
        "6": {"description": "Types of Persistence", "function": linux_types_of_persistence},
        "7": {"description": "Advanced Persistence", "function": linux_advanced_persistence},
        "8": {"description": "Event IDs to Watch", "function": linux_event_ids_to_watch},
        "9": {"description": "Memory Acquisition", "function": linux_memory_acquisition},
        "10": {"description": "File System Artifacts", "function": linux_filesystem_artifacts},
        "11": {"description": "Analysis Resources", "function": linux_analysis_resources},
        "12": {"description": "All", "function": all_linux_iocs},
    }
    build_submenu("Linux Indicators of Compromise (IOCs)", actions)

### Functions for each submenu option

def linux_basics():
    title = "Linux Basics"
    content = """
- Understand typical file paths and permission settings.
- Monitor unexpected or unplanned cron jobs.
- Investigate binaries with SUID or SGID bits set (`find / -perm -4000`).
- Look for rogue or uncommon processes running as root.
- Analyze .bash_history for suspicious commands.
- Investigate `/var/log/auth.log` for failed or unauthorized access.
- Check for hidden files and directories using `find / -type f -name ".*"`.
"""
    print_info(title, content)

def linux_common_malware_names():
    title = "Common Malware Names"
    content = """
- kworker
- kinsing
- xmrig
- cryptonight
- apache2 (unexpected locations)
- mysql (unexpected locations)
"""
    print_info(title, content)

def linux_common_malware_locations():
    title = "Common Malware Locations"
    content = """
- /tmp
- /var/tmp
- /dev/shm
- /etc/cron.*
- /lib/systemd/system/
- ~/.ssh/
- /usr/local/bin/
- /usr/bin/
- /var/spool/cron/crontabs/
"""
    print_info(title, content)

def linux_interesting_search_terms():
    title = "Interesting Search Terms"
    content = """
### Shell Scripts
- `.sh`, `.bash`

### Executable Files
- `.out`, `.bin`, `.elf`

### Archives
- `.tar.gz`, `.zip`, `.xz`, `.bz2`, `.7z`

### Strings in Logs
- "sudo"
- "su root"
- "chmod 777"
- "wget" or "curl"
- "base64"
"""
    print_info(title, content)

def linux_locations_of_persistence():
    title = "Locations of Persistence"
    content = """
- Cron Jobs
    - `/etc/crontab`
    - `/var/spool/cron/crontabs/`
- Autostart
    - `~/.config/autostart/`
- System Services
    - `/etc/systemd/system/`
    - `/lib/systemd/system/`
- Network Configuration Files
    - `/etc/network/interfaces`
    - `/etc/hosts`
- SSH Keys
    - `~/.ssh/`
    - `/root/.ssh/`
"""
    print_info(title, content)

def linux_types_of_persistence():
    title = "Types of Persistence"
    content = """
- Cron Jobs
- Modified SSH Keys
- Custom Systemd Services
- Kernel Module Hijacking
- Backdoor Network Configurations
- LD_PRELOAD Hijacking
"""
    print_info(title, content)

def linux_advanced_persistence():
    title = "Advanced Persistence"
    content = """
- Rootkits
- Live Kernel Patching
- Custom Kernel Modules
- Firmware Tampering
- Hidden Partitions or Volumes
"""
    print_info(title, content)

def linux_event_ids_to_watch():
    title = "Event IDs to Watch"
    content = """
Monitor important Linux system logs:
- `/var/log/auth.log` for authentication attempts
- `/var/log/secure` for privileged access
- `/var/log/syslog` for suspicious processes or activity
- `/var/log/messages` for kernel-level logs
"""
    print_info(title, content)

def linux_memory_acquisition():
    title = "Memory Acquisition"
    content = """
### Tools for Live RAM Capture
- AVML (Azure Virtual Machine Live)
- LiME (Linux Memory Extractor)

### File Locations
- `/dev/mem` for memory dump
- `/proc/<pid>/maps` for process memory mapping
"""
    print_info(title, content)

def linux_filesystem_artifacts():
    title = "Filesystem Artifacts"
    content = """
### Look for:
- Recent Modifications: `find / -type f -mtime -1`
- Hidden Files: `find / -name ".*"`
- Unusual Permissions: `find / -perm 777`
- Root-level Scripts or Configurations: `/etc/`, `/usr/local/`
"""
    print_info(title, content)

def linux_analysis_resources():
    title = "Analysis Resources"
    content = """
- Check File Hashes: Use `sha256sum` or `md5sum`.
- Threat Intelligence: Search IPs and Domains on VirusTotal.
- Malware Analysis: Analyze suspicious files with tools like Cuckoo Sandbox.
- Log Analysis: Parse logs using tools like Logstash or Elastic.
"""
    print_info(title, content)

def all_linux_iocs():
    """
    Displays all Linux IOC content sequentially.
    """
    linux_basics()
    linux_common_malware_names()
    linux_common_malware_locations()
    linux_interesting_search_terms()
    linux_locations_of_persistence()
    linux_types_of_persistence()
    linux_advanced_persistence()
    linux_event_ids_to_watch()
    linux_memory_acquisition()
    linux_filesystem_artifacts()
    linux_analysis_resources()